CVE-2024-37383

RoundCube Webmail Cross-Site Scripting (XSS) Vulnerability

Severity Score

6.1

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

Yes

*KEV

Decision

Attend

*SSVC

Descriptions

Roundcube Webmail before 1.5.7 and 1.6.x before 1.6.7 allows XSS via SVG animate attributes.

Roundcube Webmail anterior a 1.5.7 y 1.6.x anterior a 1.6.7 permite XSS a través de atributos animados SVG.

Matthieu Faou and Denys Klymenko discovered that Roundcube incorrectly handled certain SVG images. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 18.04 LTS, Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10. Rene Rehme discovered that Roundcube incorrectly handled certain headers. A remote attacker could possibly use this issue to load arbitrary JavaScript code. This issue only affected Ubuntu 20.04 LTS, Ubuntu 22.04 LTS and Ubuntu 23.10.

RoundCube Webmail contains a cross-site scripting (XSS) vulnerability in the handling of SVG animate attributes that allows a remote attacker to run malicious JavaScript code.

*Credits: N/A

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

Required

Scope

Changed

Confidentiality

Low

Integrity

Low

Availability

None

Attack Vector

Network

Attack Complexity

Low

Authentication

None

Confidentiality

Partial

Integrity

Partial

Availability

None

* Common Vulnerability Scoring System

SSVC

Decision:Attend

Exploitation

Active

Automatable

Tech. Impact

Partial

* Organization's Worst-case Scenario

Timeline

2024-06-07 CVE Reserved
2024-06-07 CVE Published
2024-10-24 CVE Updated
2024-10-24 Exploited in Wild
2024-10-24 First Exploit
2024-11-14 KEV Due Date
2025-03-30 EPSS Updated

CWE

CWE-79: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')

CAPEC

References (7)

URL	Tag	Source
https://github.com/roundcube/roundcubemail/commit/43aaaa528646877789ec028d87924ba1accf5242
https://github.com/roundcube/roundcubemail/releases/tag/1.5.7
https://github.com/roundcube/roundcubemail/releases/tag/1.6.7
https://lists.debian.org/debian-lts-announce/2024/06/msg00008.html	Mailing List

URL	Date	SRC
https://packetstorm.news/files/id/182334	2024-10-24
https://github.com/bartfroklage/CVE-2024-37383-POC	2024-10-24
https://github.com/amirzargham/CVE-2024-37383-exploit	2024-11-03

URL	Date	SRC

URL	Date	SRC

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Roundcube Search vendor "Roundcube"		Webmail Search vendor "Roundcube" for product "Webmail"				*		-		Affected
Canonical Search vendor "Canonical"		Ubuntu Linux Search vendor "Canonical" for product "Ubuntu Linux"				*		-		Affected
Debian Search vendor "Debian"		Debian Linux Search vendor "Debian" for product "Debian Linux"				*		-		Affected